Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

 

patterns & practices Developer Center

Related Links

patterns & practices Security Guidance for Applications Index

patterns and practices Index

.NET Architecture Center

Application Architecture for .NET: Designing Applications and Services

Roadmap

J.D. Meier, Alex Mackman, Michael Dunner, and Srinath Vasireddy
Microsoft Corporation

Published: November 2002

Last Revised: January 2006

Summary: This guide presents a practical, scenario driven approach to designing and building secure ASP.NET applications for Windows 2000 and version 1.0 of the .NET Framework. It focuses on the key elements of authentication, authorization, and secure communication within and across the tiers of distributed .NET Web applications. (This roadmap: 6 printed pages; the entire guide: 608 printed pages)

Download

Download Building Secure ASP.NET Applications in .pdf format. (1.67 MB, 608 printed pages)

Contents

What This Guide Is About
   Part I, Security Models
   Part II, Application Scenarios
   Part III, Securing the Tiers
   Part IV, Reference
Who Should Read This Guide?
What You Must Know
Feedback and Support
Collaborators

Recommendations and sample code in the guide were built and tested using Visual Studio .NET Version 1.0 and validated on servers running Windows 2000 Advanced Server SP 3, .NET Framework SP 2, and SQL Server 2000 SP 2.

What This Guide Is About

This guide focuses on:

  • Authentication (to identify the clients of your application)
  • Authorization (to provide access controls for those clients)
  • Secure communication (to ensure that messages remain private and are not altered by unauthorized parties)

Why authentication, authorization, and secure communication?

Security is a broad topic. Research has shown that early design of authentication and authorization eliminates a high percentage of application vulnerabilities. Secure communication is an integral part of securing your distributed application to protect sensitive data, including credentials, passed to and from your application, and between application tiers.

There are many technologies used to build .NET Web applications. To build effective application-level authentication and authorization strategies, you need to understand how to fine-tune the various security features within each product and technology area, and how to make them work together to provide an effective, defense-in-depth security strategy. This guide will help you do just that.

Figure 1 summarizes the various technologies discussed throughout the guide.

Ff649100.fa2sn01(en-us,PandP.10).gif

Figure 1. .NET Web application security

The guide is divided into four parts. The aim is to provide a logical partitioning, which will help you to more easily digest the content.

Part I, Security Models

Part I of the guide provides a foundation for the rest of the guide. Familiarity with the concepts, principles, and technologies introduced in Part I will allow you to extract maximum value from the remainder of the guide. Part I contains the following chapters.

  • Chapter 1: Introduction

    This chapter highlights the goals of the guide, introduces key terminology, and presents a set of core principles that apply to the guidance presented in later chapters.

  • Chapter 2: Security Model for ASP.NET Applications

    This chapter describes the common characteristics of .NET Web applications from a security perspective and introduces the .NET Web application security model. It also introduces the set of core implementation technologies that you will use to build secure .NET Web applications.

  • Chapter 3: Authentication and Authorization

    Designing a coherent authentication and authorization strategy across your application's multiple tiers is a critical task. This chapter provides guidance to help you develop an appropriate strategy for your particular application scenario. It will help you choose the most appropriate authentication and authorization technique and apply them at the correct places in your application.

  • Chapter 4: Secure Communication

    This chapter introduces the two core technologies that can be used to provide message confidentiality and message integrity for data that flows across the network between clients and servers on the Internet and corporate intranet. These are SSL and IPSec. This chapter also discusses RPC encryption, which can be used to secure the communication with remote serviced components.

Part II, Application Scenarios

Most applications can be categorized as intranet, extranet, or Internet applications. This part of the guide presents a set of common application scenarios, each of which falls into one of those categories. The key characteristics of each scenario are described and the potential security threats analyzed.

You are then shown how to configure and implement the most appropriate authentication, authorization, and secure communication strategy for each application scenario.

Part III, Securing the Tiers

This part of the guide contains detailed drill-down information that relates to the individual tiers and technologies associated with secure .NET Web applications. Part III contains the following chapters.

  • Chapter 8: ASP.NET Security

    This chapter provides in-depth security recommendations for ASP.NET Web applications. It describes how to implement Forms and Windows authentication and how to perform authorization using the various gatekeepers supported by ASP.NET. Among many other topics, it also discusses how to store secrets, how to use the correct process identity, and how to access network resources such as remote databases by using Windows authentication.

  • Chapter 9: Enterprise Services Security

    This chapter explains how to secure business functionality in serviced components contained within Enterprise Services applications. It shows you how and when to use Enterprise Services (COM+) roles for authorization, and how to configure RPC authentication and impersonation. It also shows you how to securely call serviced components from an ASP.NET Web application and how to identify and flow the original caller's security context through a middle tier serviced component.

  • Chapter 10: Web Services Security

    This chapter focuses on platform-level security for Web services using the underlying features of Internet Information Services (IIS) and ASP.NET. For message-level security, Microsoft is developing the Web Services Development Kit, which allows you to build security solutions that conform to the WS-Security specification, part of the Global XML Architecture (GXA) initiative.

  • Chapter 11: Remoting Security

    The .NET Framework provides a remoting infrastructure that allows clients to communicate with objects, hosted in remote application domains and processes or on remote computers. This chapter shows you how to implement secure .NET Remoting solutions.

  • Chapter 12: Data Access Security

    This chapter presents recommendations and guidance that will help you develop a secure data access strategy. Topics covered include using Windows authentication from ASP.NET to the database, securing connection strings, storing credentials securely in a database, protecting against SQL injection attacks, and using database roles.

Part IV, Reference

This reference part of the guide contains supplementary information to help further your understanding of the techniques, strategies, and security solutions presented in earlier chapters.

  • Chapter 13: Troubleshooting Security

    This chapter presents a set of troubleshooting tips, techniques, and tools to help diagnose security related issues.

  • How Tos

    This section contains a series of step-by-step How-to articles that walk you through many of the solution techniques discussed in earlier chapters.

  • Base Configuration

    This section lists the hardware and software used during the development and testing of the guide.

  • Configuration Stores and Tools

    This section summarizes the configuration stores used by the various authentication, authorization, and secure communication services and lists the associated maintenance tools.

  • Reference Hub

    This section provides a set of links to useful articles and Web sites that provide additional background information about the core topics discussed throughout the guide.

  • How Does It Work?

    This section provides supplementary information that details how particular technologies work.

  • ASP.NET Identity Matrix

    This section summarizes (with examples) the variables available to ASP.NET Web applications, Web services, and remote components hosted within ASP.NET that provide caller, thread, and process-level identity information.

  • Cryptography and Certificates

    This section includes supplementary background information about cryptography and certificates.

  • .NET Web Application Security

    This section provides a diagram that shows the authentication, authorization, and secure communication services available across the tiers of an ASP.NET application.

  • Glossary

    A glossary of security terminology used throughout the guide.

Who Should Read This Guide?

If you are a middleware developer or architect, who plans to build, or is currently building .NET Web applications using one or more of the following technologies, you should read this guide.

  • ASP.NET
  • Web services
  • Enterprise Services
  • Remoting
  • ADO.NET

What You Must Know

To most effectively use this guide to design and build secure .NET Web applications, you should already have some familiarity and experience with .NET development techniques and technologies. You should be familiar with distributed application architecture and if you have already implemented .NET Web application solutions, you should know your own application architecture and deployment pattern.

Feedback and Support

Questions? Comments? Suggestions? For feedback on this security guide, please send e-mail to secguide@microsoft.com.

The security guide is designed to help you build secure .NET distributed applications. The sample code and guidance is provided as-is. Support is available through Microsoft Product Support for a fee.

Collaborators

Many thanks to the following contributors and reviewers:

Manish Prabhu, Jesus Ruiz-Scougall, Jonathan Hawkins and Doug Purdy, Keith Ballinger, Yann Christensen and Alexei Vopilov, Laura Barsan, Greg Fee, Greg Singleton, Sebastian Lange, Tarik Soulami, Erik Olson, Caesar Samsi, Riyaz Pishori, Shannon Pahl, Ron Jacobs, Dave McPherson, Christopher Brown, John Banes, Joel Scambray, Girish Chander, William Zentmayer, Shantanu Sarkar, Carl Nolan, Samuel Melendez, Jacquelyn Schmidt, Steve Busby, Len Cardinal, Monica DeZulueta, Paula Paul, Ed Draper, Sean Finnegan, David Alberto, Kenny Jones, Doug Orange, Alexey Yeltsov, Martin Kohlleppel, Joel Yoker, Jay Nanduri, Ilia Fortunov, Aaron Margosis (MCS), Venkat Chilakala, John Allen, Jeremy Bostron, Martin Petersen-Frey, Karl Westerholm, Jayaprakasam Siddian Thirunavukkarasu, Wade Mascia, Ryan Kivett, Sarath Mallavarapu, Jerry Bryant, Peter Kyte, Philip Teale, Ram Sunkara, Shaun Hayes, Eric Schmidt, Michael Howard, Rich Benack, Carlos Lyons, Ted Kehl, Peter Dampier, Mike Sherrill, Devendra Tiwari, Tavi Siochi, Per Vonge Nielsen, Andrew Mason, Edward Jezierski, Sandy Khaund, Edward Lafferty, Peter M. Clift, John Munyon, Chris Sfanos, Mohammad Al-Sabt, Anandha Murukan (Satyam), Keith Brown (DevelopMentor), Andy Eunson, John Langley (KANA Software), Kurt Dillard, Christof Sprenger, J.K.Meadows, David Alberto, Bernard Chen (Sapient)

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

© Microsoft Corporation. All rights reserved.